Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

WordPress Targeted with Clever SEO Injection Malware

The malware does its best to obfuscate SEO injection in WordPress and evade notice from web admins.

A clever malware built for SEO injection – where a black hat loads up a webpage with spammy links, redirects and ad keywords, unbeknownst to the site owner – has been seen evading detection with an innovative approach that involves appending itself in an unusual place in the back-end code of a WordPress site.

Researchers at Sucuri have seen the malware crop up in two unrelated sites recently, targeting both English- and Korean-speaking searchers who are looking for various “free” downloads.

Upon analysis, the researchers discovered that the malware has two functions. First, it can add hidden links for indexing by search engines (a process that usually violates search engine terms of service and could result in blacklisting of the site); and secondly, it can redirect site visitors to spam content. The latter function is more advanced than usual, because it only redirects unregistered site users (presumably one-time visitors who wouldn’t flag the issue to the webmaster). And, it redirects visitors to certain pages based on their profile.

So, malefactors can inject SEO terms – hidden from site users – into the web page’s code, which will be indexed and move the site up in the search engine results. That improves the exposure for the true purpose of the campaign, which is to redirect visitors to sketchy external sites, which could be carrying out ad fraud or serving malware, among other things.

A Savvy Approach

Typically, SEO injection involves either injecting HTML code for concealed elements in theme files or injecting fake spam posts in the WordPress database, according to Sucuri – and in both cases, the injection is simple to uncover with either a file search or a keyword search within WordPress.

“Infections are usually found via a simple file search for the terms attackers inject on the page,” the researchers explained in a Monday posting. “Did you find SEO spam for luxury handbags on your site? Search your files for that term and bang, there it is.” From there, site owners can simply delete the rogue content and then submit the site for blacklist review/SEO reindexing.

In this case, the malware creates a special repository in the site’s database to store spam content and information about logged in visitors; so, rather than just uploading spam posts into the normal dashboard, these use a different prefix from legitimate WordPress content. That means the posts won’t load or show up on a site’s admin dashboard.

When a visitor hits the site, the malware then hijacks the normal WordPress database connection that would occur when loading a page, and redirects that connection to the hidden area to fetch links to the spam posts. It then appends these links to the legitimate content before sending it back to the visitor’s browser.

“The attacker was smart enough to return the database connection to the default tables before handing back the control so WordPress’ default flow can proceed ‘normally,'” researchers explained. “The injected links are invisible to human visitors, but search engines crawl and index them and they become search results.”

In order to redirect visitors to third-party sites based on profile, the malware authors have added special JavaScript links into the spam posts that allow then to inject redirect scrips into the posts on the fly.

“[For instance], a request to the hacker-controlled my-game[.]biz site is made to fetch additional customized code based on the visitors IP address, referrer and browser’s User-Agent string,” Sucuri explained.

It also appends the SEO spam right after the closing HTML tag, making it difficult to easily find the malware.

“After some extensive searches, we noticed a suspicious code block on the theme’s functions.php file loading content from the WordPress’s wp_options table,” the researchers noted. “The code itself looks suspicious, as it silently executes part of the content fetched from the database. On top of that, it loads a theme_css option, which is not how CSS is usually loaded on a typical WordPress theme. Searching the database for that option, we found the malware itself.”

While Sucuri itself found two specific samples in the wild, it performed a PublicWWW search (a search engine that crawls source code) and uncovered 173 hacked sites with the malware installed.

“Hacked sites affected by this kind of black hat SEO campaign can get links from around a thousand sites overnight,” the researchers said.

Site owners will have to do a little more than a search to clean up the infection: They’ll need to find and remove the malicious code from the theme’s functions.php, Sucuri noted; and then, find and remove the themes_css option, which may have been given a random name. And finally, admins should check their WordPress database for tables with unknown prefixes.

Discussion

Hi there! The researchers say that sites that have been infected with this particular SEO spam can refer to the following steps to clean it up:
Find and remove the malicious code from the theme’s functions.php.
Find and remove the option mentioned in the malicious code (e.g. themes_css but the actual name may vary.)
Check your WordPress database for tables with unknown prefixes. E.g. backupdb_wp_ instead of wp_. Specifically look for backupdb_wp_posts and backupdb_wp_lstat tables. The actual name may be different if you use table prefix other than wp_.
Sucuri also has a guide on cleaning hacked WordPress sites: https://sucuri.net/guides/how-to-clean-hacked-wordpress-a

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.